Determinación de variables agronómicas y climáticas

This chapter has analyzed the eMobility infrastructure, including the system requirements, the archi- tecture and the charging protocol. The messages exchanged according to ISO when charging with contract-based payment have been examined in detail. Further, the security and privacy approach of the ISO/IEC 15118 has been analyzed. The standard addresses security in the requirements and integrates it into the protocol. The protocol is secure against the threats found by Falk and Fries. Therefore, we will not look at further attacks or weaknesses in the protocol. However, it is evident that privacy was not a design goal. The privacy impact of the protocol is analyzed in the next chapter.

CHAPTER

4

Privacy in eMobility

This chapter investigates the privacy impact of electric vehicle charging. First, an introduction to information privacy is given. Based on the legal regulations and known privacy principles the privacy requirements for the eMobility system are determined. Next, privacy impact assessments (PIAs) are discussed and an approach for eMobility is worked out. Finally, the PIA is applied to the eMobility system and constructive suggestions are made for reducing the privacy-impact.

As stated in Section2.5, this thesis focuses on the vehicle driver’s (information) privacy1_{and the}

automated billing scenario for the privacy analysis.

4.1

Privacy overview

Privacy is one of the fundamental rights according to the United Nations Universal Declaration of Human Rights and other national human rights laws. However, the perceptions of privacy have changed over the years. Especially with the rise of information technology, which has simplified the collection and processing of information.

Several definitions of privacy exist depending on the context, country and culture [90,91]. Ac- cording to Warren and Brandeis privacy is “the right to be left alone” [104]. Nissenbaum’s theory of “contextual integrity” states that a privacy violation occurs only in case of inappropriate decontextu- alization of private information, i.e. if private information was collected under certain conditions and the information is used otherwise [71]. Westin defines privacy as “the claim of individuals, groups and institutions to determine for themselves when, how and to what extend information about them is communicated to others.” [105]. This form of privacy is often refereed to as information privacy. For this analysis information privacy is the most relevant. Information privacy considers the collec- tion, processing and storage of personal information2 _{Personal information is data that can uniquely}

identify an individual. It is not necessary that an individual is directly identified, for example, by name, address or identification number. Data that indirectly identifies an individual, e.g., by means of data-mining, also is considered to be personal data [87,99]. Indirect personal data is also called

personally identifiable information(PII) [99].

4.1.1

Privacy requirements

When developing a system the privacy regulations such as the European Data Protection Directives EC/95/46 [45] and 2002/58/EC [44], or the U.S. federal privacy laws have to be taken into account [48]. These laws state under what condition personal data is allowed to be used and how it has to be handled. The Organization for Economic Cooperation and Development (OECD) has summarized the privacy laws in a list of eight key privacy principles in [73]. These principles are often used as the basis for privacy requirements. For this thesis we will focus on the European regulations.

1_{In this thesis no distinction is made between the vehicle driver and the vehicle owner unless otherwise stated.} 2_{Personal information is also referred to as personal data, since often digital forms of collection/storage are used.}

Similar to the OECD privacy principals, Agrawal et al have created a set of ten principles for the design of hippocratic databases [2]. Despite being originally proposed for database systems, the principles have been successfully adapted for other domains, such as car-to-car communication [63]. Hence, we base our discussion of privacy requirements on an adaptation of Agrawal’s principles. These principals are in line with the EU regulations for data protection and ePrivacy (cf. [44]). Privacy is considered from the point of view of the vehicle driver.

1) Purpose specification There should be a purpose for each data item that is collected. This purpose should be explicitly specified for reference. For example, a name, contract identifier and billing address may be required for handing the billing. Then billing is the purpose of collecting the data This is one of the EU data protection requirements.

2) Consent The driver should be informed about how her data is to be used and give her consent. For example, if the driver does not want her billing details to be used, the system should not offer such payment options to this specific driver. Instead she may be able to pay with cash or an anonymous prepaid card. Consent is one of the EU data protection requirements.

3) Limited collection Only the data that is required for system operation should be recored. For example, if it is not necessary to record the exact location of the charging station it should not be stored. Reducing the amount of collected data will also require less resources to protect the data.

4) Limited use When using a data item, e.g., a billing address, for some operation, such as sending a bill, this operation should match the purpose specification for that data item. For example, if a party wants to use the billing address of a user for targeted advertisement, but the purpose specification of the data item indicates that is it intended for billing only, the party may not use the data even if it has access to the data.

5) Limited disclosure Data should only be available to those parties that require the data and for whom the data subject has given her consent. If the user allowed gave her credit card number to the charging station, it should not be forwarded to a third-party that is not involved in the transaction.

6) Limited retention Data should also be stored as long as is required to finish an action for which the data has been collected. For example, the ISO 15118 standard proposes that if a user directly pays the charging station all meter data and other records on the transaction are deleted and not transferred to any third-party. However, there may be additional legal requirements to retain data for longer.

7) Accuracy Data stored on eMobility users should always be accurate and up-to-date. The ISO 15118 standard requires a semi-online charging station to transmit the charging process data at least once a day, so it can be verified that the transaction was valid and the user can be billed accordingly.

8) Security It is important that all data is securely stored and transmitted. Any key material, billing information and location data has to be protected by security measures. Also theft and modification has to be prevented. The security requirements have been addressed in Section3.4.1.

9) Openness Every user of the eMobility system should be able to access all the information stored about her. For example, a procedure should be in place to request this data. This is one of the EU data protection requirements.

10) Compliance It should be possible to verify that the eMobility system complies with the above requirements. Most of the requirements are legally binding when processing personally identifiable information. The other points may be agreed to by contract or policies.

4.1.2

Summary of eMobility privacy concerns

An introduction to the privacy concerns in eMobility has been given in Section 2.3. Overall the privacy concerns can be summarized as follows:

• While charging PII is transferred to the charging station and the backend.

• Charging occurs frequently, i.e. multiple times a day at different locations. Hence, PII is transferred frequently.

• Charging locations can be recorded to track users and learn their behaviors. The charging station can build user profiles.

Further, the study of the ISO/IEC 15118 standard shows that privacy has not been a design goal and privacy issues exist with the current implementation (see Section 3.4.4). To understand the exact privacy implications a privacy impact assessment is required.